vless+xhttp+caddy简单配置

[wangziyao318]

发现caddy比nginx简单很多，就贴一个基于caddy反代的简单配置，优点是不用管tls证书比较省事，另外客户端可以随便切h2h3，tcp丢包多的线路可以试试udp。不过感觉跟naiveproxy差不多，不知道目前哪种特征更少。

加了个header认证，防止别人主动探测https://example.com/your-xray-path*。

因为用的tls，需要有一个域名，并配置好dns解析指向vps ip。

Caddyfile配置

{
	email yourmail@example.com
}

example.com {
	@grpc {
		path /your-xray-path*
		header x-access-token your-auth-token
	}

	handle @grpc {
		header -x-access-token
		reverse_proxy unix+h2c//dev/shm/xray.sock
	}

	handle {
		reverse_proxy https://some.fallback.site.com {
			header_up Host {upstream_hostport}
		}
	}
}

xray服务端入站

{
  "inbounds": [
    {
      "listen": "/dev/shm/xray.sock,0666",
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "your-uuid"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "xhttp",
        "xhttpSettings": {
          "host": "",
          "path": "/your-xray-path",
          "mode": "auto"
        }
      }
    }
  ]
}

xray客户端出站

{
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "address": "your-vps-ip",
        "port": 443,
        "id": "your-uuid",
        "encryption": "none"
      }
      "streamSettings": {
        "network": "xhttp",
        "security": "tls",
        "tlsSettings": {
          "serverName": "example.com",
          "alpn": [
            "h2"
          ],
          "fingerprint": "chrome"
        },
        "xhttpSettings": {
          "host": "",
          "path": "/your-xray-path",
          "mode": "auto",
          "extra": {
            "headers": {
              "x-access-token": "your-auth-token"
            }
          }
        }
      }
    }
}

[zc16607]

两个问题，
1.基本上可以确定是按你这个配置后，只是我是容器，监听的端口，容器间转发。v2rayN连接不通。
2.xray容器启动后，看日志说warning，vless需要flow参数，后面版本升级必须要flow参数。你这个配置是空的，我感觉安全性存疑。

另外我查看官方给出的配置，vless-H2C的配置跟你这个版本很像。参考https://github.com/XTLS/Xray-examples/tree/main/VLESS-HTTP-Caddy/VLESS-H2C-Caddy
下一步，我将按照官方的这个文档尝试看能否成功。

[zc16607]

无意间发现有人提过flow参数的问题，新版本的xray配置应该配置flow参数。参考#5568
然后参考他的项目的配置文件，成功搭建起了服务，并且正常使用。#5568 (comment)

下面贴出我的配置
先说我的环境：
caddy容器（自己构建的带cloudflare dns模块）
xray容器（就官方出的那个）
两个容器使用同一个网络，以确保能够通过容器名互相连通。
Caddyfile文件内容

{
    email your_email@gmail.com
}

sub.example.com:443 {
    log {
        output file /var/log/careers.access.log {
            roll_size 10mb
            roll_keep 5
        }
    }
    
    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        protocols tls1.3 tls1.3
        ciphers TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
        curves x25519
    }

    @xhttp {
        path /your path eg: server/*
        # header x-access-token ePSJwvSPYkmEF1BKLu3SlvKDVCeOR3bT
    }

    handle @xhttp {
        # header -x-access-token
        reverse_proxy xray:8443 {
            header_up X-Real-IP {http.request.header.CF-Connecting-IP}
            header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
            flush_interval -1
            transport http {
                versions h2c
            }
        }
    }

    handle {
        root * /srv/sub.example.com
        file_server
    }
}

caddy的docker-compose.yml文件

services:
  caddy:
    build: .
    image: caddy-l4-cf:latest
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./conf:/etc/caddy
      - ./site:/srv
      - ./data:/data
      - ./config:/config
    environment:
      - CLOUDFLARE_API_TOKEN=your cf token，开放80端口就非必须
    networks:
      - app-network

networks:
  app-network:
    external: true

创建caddy镜像的Dockerfile文件

FROM caddy:builder AS builder

RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    xcaddy build \ 
    --with github.com/mholt/caddy-l4 \
    --with github.com/caddy-dns/cloudflare

FROM caddy:alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

xray_server.json文件

{
    "log": {
        "loglevel": "info"
    },
    "inbounds": [
        {
            "tag": "VLESS_INBOUND_XHTTP",
            "listen": "0.0.0.0",
            "port": 8443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "your uuid",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "xray vlessenc生成，选第一个decryption"
            },
            "streamSettings": {
                "network": "xhttp",
                "xhttpSettings": {
                    "mode": "auto",
                    "path": "your path, eg: server"
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {},
            "tag": "DIRECT"
        },
        {
            "protocol": "blackhole",
            "settings": {},
            "tag": "BLOCK"
        }
    ],
    "routing": {
        "rules": [
            {
                "ip": [
                    "geoip:private"
                ],
                "outboundTag": "BLOCK",
                "type": "field"
            },
            {
                "domain": [
                    "localhost"
                ],
                "outboundTag": "BLOCK",
                "type": "field"
            }
        ]
    }
}

xray的docker-compose.yml文件：

services:
  xray:
    image: ghcr.io/xtls/xray-core:26.1.18
    container_name: xray
    restart: unless-stopped
    expose:
      - "8443"
    volumes:
      - ./config:/usr/local/etc/xray
      - ./logs:/var/log/xray
    environment:
      - TZ=Asia/Shanghai
    networks:
      - app-network

networks:
  app-network:
    external: true

文件结构：
docker-app/
├── caddy
│ ├── conf
│ │ └── Caddyfile # caddy配置文件
│ ├── config
│ ├── data # tls相关文件
│ ├── docker-compose.yml
│ ├── Dockerfile # caddy镜像构建文件，有80端口，也可以使用官方的镜像，不用cf的dns token来签发证书
│ └── site
│ └── sub.example.com # 网站目录，这下面放伪装的网站内容
│ └── index.html
└── xray
├── config
│ └── xray_server.json # xray服务端配置文件
├── docker-compose.yml
└── logs

创建容器之前先创建网络(app-network)
docker network create app-network

客户端使用：
vless://{xray_uuid}@{sub.example.com}:{port}?encryption={xray_encryption_key}&flow=xtls-rprx-vision&security=tls&sni={sub.example.com}&alpn=h3%2Ch2%2Chttp%2F1.1&type=xhttp&host={sub.example.com}&path={xray_path}&mode=auto#{encoded_remark}
将上面带{}的部分替换为自己的配置，复制粘贴到客户端就能使用了。

整体的网络结构参考：